6/14/2018 Mastering 4 Stages of Malware Analysis

Mastering 4 Stages of
Malware Analysis

MORE ON

Information Security
(https://zeltser.com/information-
security)

Malicious Software
(https://zeltser.com/malicious-
software)

SHARE 

Examining malicious software involves a variety of tasks, some simpler

than others. These e orts can be grouped into stages based on the
nature of the associated malware analysis techniques. Layered on top
of each other, these stages form a pyramid that grows upwards in
complexity. The closer you get to the top, the more burdensome the
e ort and the less common the skill set.

Fully-Automated Analysis
The easiest way to assess the nature of a suspicious le is to scan it
using fully-automated tools, some of which are available as
commercial products and some as free ones. These utilities are
designed to quickly assess what the specimen might do if it ran on a
https://zeltser.com/mastering-4-stages-of-malware-analysis/ 1/6
6/14/2018 Mastering 4 Stages of Malware Analysis
system. They typically produce reports with details such as the registry
keys used by the malicious program, its mutex values, le activity,
network tra c, etc.

Fully-automated tools usually don’t provide as much insight as a

human analyst would obtain when examining the specimen in a more
manual fashion. However, they contribute to the incident response
process by rapidly handling vast amounts of malware, allowing the
analyst (whose time is relatively expensive) to focus on the cases that
truly require a human’s attention.

For a listing of free services and tools that can perform automated
analysis, see my lists of Toolkits for Automating Malware Analysis
(/malware-analysis-tool-frameworks/) and Automated Malware Analysis
Services (/automated-malware-analysis/).

Static Properties Analysis

An analyst interested in taking a closer look at the suspicious le
might proceed by examining its static properties. Such details can be
obtained relatively quickly, because they don’t involve running the
potentially malicious program. Static properties include the strings
embedded into the le, header details, hashes, embedded resources,
packer signatures, metadata such as the creation date, etc.

Looking at static properties can sometimes be su cient for de ning

basic indicators of compromise (/indicators-of-compromise-entering-
the-mainstream). This process also helps determine whether the
analyst should take closer look at the specimen using more
comprehensive techniques and where to focus the subsequent steps.
Analyzing static properties is useful as part of the incident triage e ort.

VirusTotal (https://www.virustotal.com/) is an example of an excellent

online tool whose output includes the le’s static properties. For a look
at some free utilities you can run locally in your lab, see my posts
Analyzing Static Properties of Suspicious Files on Windows
(http://digital-forensics.sans.org/blog/2014/03/04/tools-for-analyzing-
 LENNY ZELTSER (HTTPS://ZELTSER.COM/)
https://zeltser.com/mastering-4-stages-of-malware-analysis/
 
2/6
6/14/2018 Mastering 4 Stages of Malware Analysis
static-properties-of-suspicious- les-on-windows) and Examining XOR (https://twitt
(http

Obfuscation for Malware Analysis (http://digital-

forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-
obfuscation-for-malware-analysis).

Interactive Behavior Analysis

After using automated tools and examining static properties of the le,
as well as taking into account the overall context of the investigation,
the analyst might decide to take a closer look at the specimen. This
often entails infecting an isolated laboratory system with the malicious
program to observe its behavior.

Behavioral analysis involves examining how sample runs in the lab to

understand its registry, le system, process and network activities.
Understanding how the program uses memory (e.g., performing
memory forensics) can bring additional insights. This malware analysis
stage is especially fruitful when the researcher interacts with the
malicious program, rather than passively observing the specimen.

The analyst might observe that the specimen attempts to connect to a

particular host, which is not accessible in the isolated lab. The
researcher could mimic the system in the lab and repeat the
experiment to see what the malicious program would do after it is able
to connect. for example, if the specimen uses the host as a command
and control (C2) server, the analyst may be able to learn about
specimen by simulating the attacker’s C2 activities. This approach to
molding the lab to evoke additional behavioral characteristics applies
to les, registry keys and other dependencies that the specimen might
have.

Being able to exercise this level of control over the specimen in a

properly orchestrated lab is what di erentiates this stage from fully-
automated analysis tasks. Interacting with malware in creative ways is
more time-consuming and complicated than running fully-automated
tools. It generally requires more skills than performing the earlier tasks
in the pyramid.
https://zeltser.com/mastering-4-stages-of-malware-analysis/ 3/6
6/14/2018 Mastering 4 Stages of Malware Analysis
For additional insights related to interactive behavior analysis, see my
post Virtualized Network Isolation for a Malware Analysis Lab
(/vmware-network-isolation-for-malware-analysis), a my recorded
webcast Intro to Behavioral Analysis of Malicious Software
(https://www.sans.org/webcasts/introduction-behavioral-analysis-
malicious-software-97180) and Jake Williams’ Tips on Malware
Analysis and Reverse-Engineering (http://digital-
forensics.sans.org/blog/2013/02/12/jake-williams-tips-on-malware-
analysis-and-reverse-engineering-3).

Manual Code Reversing

Reverse-engineering the code that comprises the specimen can add
valuable insights to the ndings available after completing interactive
behavior analysis. Some characteristics of the specimen are simply
impractical to exercise and examine without examining the code.
Insights that only manual code reversing can provide include:

Decoding encrypted data stored or transferred by the sample;

Determining the logic of the malicious program’s domain
generation algorithm;
Understanding other capabilities of the sample that didn’t exhibit
themselves during behavior analysis.

Manual code reversing involves the use of a disassembler and a

debugger, which could be aided by a decompiler and a variety of
plugins and specialized tools that automate some aspects of these
e orts. Memory forensics can assist at this stage of the pyramid as
well.

Reversing code can take a lot of time and requires a skill set that is
relatively rare. For this reason, many malware investigations don’t dig
into the code. However, knowing how to perform at least some code
reversing steps greatly increases the analyst’s view into the nature of
the malicious program in a comp

https://zeltser.com/mastering-4-stages-of-malware-analysis/ 4/6
6/14/2018
To get a sense for basic aspects of code-levelMastering
reverse4 Stages of Malware Analysis
engineering in
the context of other malware analysis stages, tune into my recorded
webcast Introduction to Malware Analysis (/malware-analysis-
webcast/). For a closer look at manual code reversing, read Dennis
Yurichev’s e-book Reverse Engineering for Beginners
(http://yurichev.com/writings/RE_for_beginners-en.pdf).

Combining Malware Analysis Stages

The process of examining malicious software involves several stages,
which could be listed in the order of increasing complexity and
represented as a pyramid. However, viewing these stages as discrete
and sequential steps over-simpli es the steps malware analysis
process. In most cases, di erent types of analysis tasks are
intertwined, with the insights gathered in one stage informing e orts
conducted in another. Perhaps the stages could be represented by a
“wash, rinse, repeat (http://en.wikipedia.org/wiki/Wash,_rinse,_repeat)”
cycle, that could only be interrupted when the analyst runs out of time.

If you’re interested in this topic, check out the malware analysis course
(http://LearnREM.com/) I teach at SANS Institute. The pyramid
presented in this post is based on a similar diagram by Alissa Torres
(@sibertor (https://twitter.com/sibertor)). Also, Andres Velzquez
(@cibercrimen (https://twitter.com/cibercrimen)) translated this article
into Spanish (http://digital-forensics.sans.org/blog/2014/07/29/etapas-
del-analisis-de-malware).

Updated February 19, 2015

DID YOU LIKE THIS?

Follow me for more of the good stu .

About the Author

https://zeltser.com/mastering-4-stages-of-malware-analysis/ 5/6
Lenny Zeltser
6/14/2018 is a seasoned business and technology leader
Mastering with
4 Stages of Malware Analysis

extensive information security experience. He builds innovative endpoint

defense solutions as VP of Products at Minerva Labs (https://www.minerva-
labs.com/). In a previous role, he was responsible for security product
management at NCR Corp (https://www.ncr.com/). Lenny also trains
incident response and digital forensics professionals at SANS Institute
(https://sans.org/). He frequently speaks at industry events, writes articles
and has co-authored books. Lenny has earned the prestigious GIAC
Security Expert designation, has an MBA from MIT Sloan and a Computer
Science degree from the University of Pennsylvania.

Learn more (https://zeltser.com/about)

Copyright © 1995-2018 Lenny Zeltser. All rights reserved.

https://zeltser.com/mastering-4-stages-of-malware-analysis/ 6/6